forwarding pfsense suricata alerts to security onion

khemais

Hello everyone,

I have a pfsense box running suricata on my WAN interface, I want to ship the alerts that are raised by suricata to my Security Onion Standalone server.

Using syslog is not very beneficial for me since it's very noisy and alerts will be sent in multiple log lines. I was searching for a solution and I found that I need to install filebeat on my pfsense box and then utilize the ELK stack that comes natively with Security Onion however I didn't find anyway to install the filebeat.

How can I achieve this? is there any better way to send the alerts raised on the pfsense box to the SIEM server?

Thanks in advance for your input!

bmeeks

Currently the filebeat package (called beats7 or beats8 in the FreeBSD ports tree) is not available directly from the pfSense package repo.

It is available from the generic FreeBSD ports repo. If you want to grab that as a *.pkg file and use pkg to install it locally, you can give that a whirl. Just be sure you download the package from the FreeBSD repo that matches the ABI of the pfSense you have.

Since there is no GUI component of filebeat for pfSense, you would have to do all the configuring via the command-line and also edit the service startup scripts so that filebeat gets properly launched at boot-up.

Adding the beat8 package to pfSense might be a good new feature. As you describe, it is the preferred method for exporting Suricata IDS/IPS logs to a third-party SIEM.

khemais

@bmeeks thank you for your input.
I am fairly new to freeBSD and pfsense in general;
Trying to pkg install beats7 or beats8 on the shell of my pfsense box throws an error saying that there is no package available matching those names, even though looking at the ports online I found what you mentioned. Found some other discussions in forums that suggest making a freebsd VM, forking the filebeat code and compiling it then transfering it to the pfsense box since "pfSense is not a general purpose FreeBSD server. does not include the ports tree or a compiler environment." but it sounds like such the headache.

Was wondering if you could point me to an easier way.

Like you mentioned , having an IDS/IPS package in pfsense is good, having them with an OOTB alert shipment solution like beats is better. I don't think that syslog cuts it when it comes to this.

bmeeks

@khemais:
Because the package is not in the pfSense fork of the FreeBSD ports repo, you can't install it directly. You would have to specify an alternate package download URL.

What version of pfSense are you currently running? And is it CE or pfSense Plus?

khemais

@bmeeks I am running the latest version pfsense 2.6.0 community edition

bmeeks

@khemais said in forwarding pfsense suricata alerts to security onion:

@bmeeks I am running the latest version pfsense 2.6.0 community edition

Okay. Give me bit and I will see if I can find some instructions that might work. I'm currently working on an update to Suricata to fix a reported bug, so it will be later today before I can check into filebeat.

khemais

@bmeeks Thanks a lot!